sshutout 1.0.6

A daemon that periodically monitors log files
sshutout is a daemon that periodically monitors log files, looking for multiple failed login attempts via the Secure Shell daemon.

sshutout is meant to mitigate what are commonly known as "dictionary attacks," i.e. scripted brute force attacks that use lists of user IDs and passwords to effect unauthorized intrusions.

The sshutout daemon blunts such attacks by creating firewall rules to block individual offenders from accessing the system. These rules are created when an attack signature is detected, and after a configurable expiry interval has elapsed, the rules are deleted.

The sshutout algorithm follows a pretty standard model for *nix daemons. The program starts, assumes a fairly safe set of built-in default values, then consults an optional configuration file to further refine these values, and finally consults the command line for arguments specifying overrides. The program checks to see that it has the required superuser authority and then forks. Its newly forked daemon process detaches from the console; the original process terminates.

Next, an initial whitelist is constructed from the addresses of all active network interfaces. In addition, the name servers and default route are added to this whitelist. Finally, host addresses specified in the configuration file or command line are appended to the list.

Appropriate signal handling is now set up. In this case, SIGHUP, the hang-up signal, is provided with a handler to refresh the daemon's operating parameters from the configuration file. The other handled signals, i.e. SIGTERM and SIGPWR (and possibly SIGINT and SIGQUIT if not running as a daemon), are set up to cause a graceful termination of the daemon process.

After signal handling has been initialized, the daemon enters its main processing loop. The loop spends most of its time in a sleep state, but when it does execute, which is approximately once per second, it examines all entries in its blocked hosts list to see if any are ready to expire. Those that are expiring are removed from the list and are also unblocked at the firewall through removal of the corresponding rule.

The daemon's next action is to determine whether its polling interval has elapsed. If it has not yet elapsed, then the daemon goes back to sleep. If the interval has elapsed, then the daemon examines the host's configuration to see if any changes are required to the whitelist, for example, if any new interfaces have come up, or if the addresses associated with any interfaces have changed, etc.

Next, the daemon will examine the specified log file to look for failed login attempts. It tallies a count of all failed login attempts for each unique host address over the span of the given polling interval. Those tallies that exceed the specified threshold are moved to the list of blocked hosts (unless, of course, they are in the whitelist.) Each item added to the blocked list is also blocked at the firewall through the addition of an suitable rule. This processing continues indefinitely until the daemon is signaled to stop.


su -
tar -xzvf sshutout-1.0.0.tar.gz
cd sshutout-1.0.0
make install

last updated on:
December 7th, 2009, 12:21 GMT
license type:
GPL (GNU General Public License) 
developed by:
Bill DuPree
ROOT \ Security
Download Button

In a hurry? Add it to your Download Basket!

user rating 18



Rate it!

Add your review!